Great Circle Associates Majordomo-Workers
(January 1997)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Is anybody using this (mis)feature?
From: Dave Wolfe <dwolfe @ risc . sps . mot . com>
Date: Wed, 1 Jan 1997 15:17:27 -0600 (CST)
To: majordomo-users @ greatcircle . com (Majordomo user's mailing list)
Cc: majordomo-workers @ greatcircle . com (Majordomo developer's mailing list)
Reply-to: Dave Wolfe <david_wolfe @ risc . sps . mot . com>

There's an undocumented (mis)feature in resend where if the
approve_passwd string from the list .config file begins with a '/'
character, the string is used as an absolute pathname to a file
containing the password. There is no mechanism for remote management of
that file unless it happens to be the absolute path to the list .passwd
file (which can be managed via the 'passwd' command). However, that
means that the list approver has access to the master password for the
list and thus complete control of the list rather than just approval
privileges.

Anyone using approve_passwd in the latter fashion wouldn't be effected
if this feature went away (that approver already has full control and
doesn't need approve_passwd to specify the .passwd file), but is anyone
depending on it to specify another, unmanaged file? If so, why? I'm
submitting a patch for 1.94.2 to remove, or at least comment out, that
code in resend because it's a security trap for the unwary and offers no
apparent advantages.

-- 
 Dave Wolfe


Follow-Ups:
Indexed By Date Previous: Re: <list>.config file mod's
From: Dave Wolfe <dwolfe@risc.sps.mot.com>
Next: approve_passwd abs. path patch
From: Dave Wolfe <dwolfe@risc.sps.mot.com>
Indexed By Thread Previous: Re: <list>.config file mod's
From: Dave Wolfe <dwolfe@risc.sps.mot.com>
Next: Re: Is anybody using this (mis)feature?
From: Brent Chapman <Brent@GreatCircle.COM>

Google
 
Search Internet Search www.greatcircle.com